Electronic commerce systems may store confidential or other sensitive information of its customers so that the customers do not need to reenter the confidential information for each new transaction. The confidential information may include a credit card number, a social security number, a password, and so on. It is well known that criminals go to great lengths to steal such confidential information from these electronic commerce systems. Indeed, it has been reported that confidential information of hundreds of millions people stored by web servers and other servers has been compromised by security breaches. To help ensure that the confidential information of their customers is secure, these electronic commerce systems may go to great security lengths. In the case of credit card information, the Payment Card Industry (“PCI”) Security Standards Council publishes standards, such as the Data Security Standard (“DSS”), and provides certifications for electronic commerce systems that are in compliance with those standards. Although compliance with such standards can help secure confidential information, criminals are continually developing innovative ways to steal such confidential information.
Because the implementation and certification of electronic commerce systems that comply with industry standards can be both time-consuming and expensive, some software development organizations provide electronic commerce systems that store confidential information of their clients at a central repository, rather than at each client's computer system. By storing the confidential information at a central repository, the software development organization, rather than each client, bears the burden of implementing a secure system and obtaining the necessary certifications. Such storage of confidential information at a central repository is, however, not without risk. The central repository stores the confidential information of many clients, each of which may have tens of thousands of customers. While a breach of the security of a single client may risk the confidential information of only the customers of that client, the breach of the security of the central repository may risk the confidential information of all the customers of all the clients.
To help reduce the risk associated with storing confidential information, some software development organizations may contract with third parties to actually store the confidential information of their clients. Such third parties may specialize in securely storing confidential information at their servers, which may be referred to as “secure storage vaults.” Even if a software development organization contracts with such a third party, the software development organization may under some legal systems be liable if security of the third party is breached and the confidential information of its clients falls into the wrong hands.